[SOLVED] SSHD Alternative Port + selinux

Sum1 · 05-19-2016, 02:49 PM

A very brief report.
Hope it's helpful for others.

Last night I replaced our company's old linux router with a new one running CentOS 7.
Today, I decided to change the standard listening port 22 to 4444.

Code:

#Port 22

changed to

Code:

Port 4444

systemctl stop sshd.service
and then
systemctl start sshd.service

Users started calling saying "No internet! No internet!"

systemctl status sshd.service showed that ssh daemon failed and exited with a status code I didn't understand.
So the first hope was a simple cure by simple reboot; but, no go. Still no internet.

I tethered my notebook to my android for internet access and found info. about a command "semanage" to tell selinux that the sshd service is now listening on a different port and that's okay. I tried the commmand and it's not found on my freshly updated centos 7 router.

So then I wanted to review the basic selinux settings and found the following in /etc/sysconfig/selinux:

Code:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

OK, supposedly permissive mode only casts out warnings but doesn't enforce/inhibit any daemons or services, right?
But sshd.service continued to fail and exit upon start and there was no internet access.
So, nothing to lose by trying:

Code:

SELINUX=disabled

Reboot.
All good.
Alternative sshd port setting allows connections on that destination port.
All users on the LAN regained access to the internet.

I haven't worked with selinux enough to understand how to deploy it carefully while still allowing multiple services. Simply reporting the only way I found to use an alternate sshd port was to disable selinux.

Cheers.

AlucardZero · 05-19-2016, 03:04 PM

None of this proves selinux had anything to do with it. Looking at the logs before rebooting, starting with the secure/auth log, would have been much more informative, instead of assuming the problem and the (probably coincidental) fix.

Sum1 · 05-19-2016, 03:46 PM

Mr, Zero - you could be very right about that.
I've posted some /var/log/secure content from the time the internet was down after changing the sshd listening port:

Code:

May 19 13:06:30 localhost sshd[925]: Received signal 15; terminating.
May 19 13:06:30 localhost polkitd[672]: Unregistered Authentication Agent for unix-process:4477:5241808 (system bus name :1.74, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
May 19 13:06:30 localhost sshd[4484]: error: Bind to port 4444 on 0.0.0.0 failed: Permission denied.
May 19 13:06:30 localhost sshd[4484]: error: Bind to port 4444 on :: failed: Permission denied.
May 19 13:06:30 localhost sshd[4484]: fatal: Cannot bind any address.
May 19 13:06:33 localhost polkitd[672]: Registered Authentication Agent for unix-process:4486:5242126 (system bus name :1.75 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
May 19 13:06:33 localhost polkitd[672]: Unregistered Authentication Agent for unix-process:4486:5242126 (system bus name :1.75, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
May 19 13:06:33 localhost sshd[4491]: error: Bind to port 4444 on 0.0.0.0 failed: Permission denied.
May 19 13:06:33 localhost sshd[4491]: error: Bind to port 4444 on :: failed: Permission denied.
May 19 13:06:33 localhost sshd[4491]: fatal: Cannot bind any address.
May 19 13:06:34 localhost polkitd[672]: Registered Authentication Agent for unix-process:4493:5242237 (system bus name :1.76 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
May 19 13:06:34 localhost polkitd[672]: Unregistered Authentication Agent for unix-process:4493:5242237 (system bus name :1.76, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
May 19 13:06:34 localhost sshd[4498]: error: Bind to port 4444 on 0.0.0.0 failed: Permission denied.
May 19 13:06:34 localhost sshd[4498]: error: Bind to port 4444 on :: failed: Permission denied.
May 19 13:06:34 localhost sshd[4498]: fatal: Cannot bind any address.
May 19 13:06:55 localhost sshd[4434]: pam_unix(sshd:session): session closed for user root
May 19 13:07:16 localhost sshd[4503]: error: Bind to port 4444 on 0.0.0.0 failed: Permission denied.
May 19 13:07:16 localhost sshd[4503]: error: Bind to port 4444 on :: failed: Permission denied.
May 19 13:07:16 localhost sshd[4503]: fatal: Cannot bind any address.
May 19 13:07:58 localhost sshd[4505]: error: Bind to port 4444 on 0.0.0.0 failed: Permission denied.
May 19 13:07:58 localhost sshd[4505]: error: Bind to port 4444 on :: failed: Permission denied.
May 19 13:07:58 localhost sshd[4505]: fatal: Cannot bind any address.
May 19 13:08:40 localhost sshd[4507]: error: Bind to port 4444 on 0.0.0.0 failed: Permission denied.
May 19 13:08:40 localhost sshd[4507]: error: Bind to port 4444 on :: failed: Permission denied.
May 19 13:08:40 localhost sshd[4507]: fatal: Cannot bind any address.
May 19 13:09:23 localhost sshd[4509]: error: Bind to port 4444 on 0.0.0.0 failed: Permission denied.
May 19 13:09:23 localhost sshd[4509]: error: Bind to port 4444 on :: failed: Permission denied.
May 19 13:09:23 localhost sshd[4509]: fatal: Cannot bind any address.
May 19 13:10:05 localhost sshd[4511]: error: Bind to port 4444 on 0.0.0.0 failed: Permission denied.
May 19 13:10:05 localhost sshd[4511]: error: Bind to port 4444 on :: failed: Permission denied.
May 19 13:10:05 localhost sshd[4511]: fatal: Cannot bind any address.
May 19 13:10:47 localhost sshd[4532]: error: Bind to port 4444 on 0.0.0.0 failed: Permission denied.
May 19 13:10:47 localhost sshd[4532]: error: Bind to port 4444 on :: failed: Permission denied.
May 19 13:10:47 localhost sshd[4532]: fatal: Cannot bind any address.
May 19 13:11:29 localhost sshd[4534]: error: Bind to port 4444 on 0.0.0.0 failed: Permission denied.
May 19 13:11:29 localhost sshd[4534]: error: Bind to port 4444 on :: failed: Permission denied.
May 19 13:11:29 localhost sshd[4534]: fatal: Cannot bind any address.
May 19 13:12:11 localhost sshd[4536]: error: Bind to port 4444 on 0.0.0.0 failed: Permission denied.
May 19 13:29:18 localhost polkitd[672]: Unregistered Authentication Agent for unix-process:4730:5378621 (system bus name :1.86, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
May 19 13:29:21 localhost polkitd[672]: Registered Authentication Agent for unix-process:4801:5378960 (system bus name :1.87 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
May 19 13:29:21 localhost polkitd[672]: Unregistered Authentication Agent for unix-process:4801:5378960 (system bus name :1.87, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
May 19 13:29:34 localhost polkitd[672]: Registered Authentication Agent for unix-process:4823:5380214 (system bus name :1.88 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
May 19 13:29:34 localhost polkitd[672]: Unregistered Authentication Agent for unix-process:4823:5380214 (system bus name :1.88, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
May 19 13:29:47 localhost polkitd[672]: Registered Authentication Agent for unix-process:4839:5381527 (system bus name :1.89 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
May 19 13:29:47 localhost polkitd[672]: Unregistered Authentication Agent for unix-process:4839:5381527 (system bus name :1.89, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
May 19 13:29:53 localhost login: pam_unix(login:session): session closed for user root
May 19 13:30:29 localhost sshd[4860]: error: Bind to port 4444 on 0.0.0.0 failed: Permission denied.
May 19 13:30:29 localhost sshd[4860]: error: Bind to port 4444 on :: failed: Permission denied.
May 19 13:30:29 localhost sshd[4860]: fatal: Cannot bind any address.
May 19 13:31:11 localhost sshd[4862]: error: Bind to port 4444 on 0.0.0.0 failed: Permission denied.
May 19 13:31:11 localhost sshd[4862]: error: Bind to port 4444 on :: failed: Permission denied.
May 19 13:31:11 localhost sshd[4862]: fatal: Cannot bind any address.
May 19 13:31:53 localhost sshd[4864]: error: Bind to port 4444 on 0.0.0.0 failed: Permission denied.
May 19 13:31:53 localhost sshd[4864]: error: Bind to port 4444 on :: failed: Permission denied.
May 19 13:31:53 localhost sshd[4864]: fatal: Cannot bind any address.

And then after disabling selinux and rebooting:

Code:

May 19 14:10:56 localhost polkitd[673]: Registered Authentication Agent for unix-process:2329:196896 (system bus name :1.17 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
May 19 14:10:56 localhost polkitd[673]: Unregistered Authentication Agent for unix-process:2329:196896 (system bus name :1.17, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
May 19 14:11:59 localhost polkitd[667]: Loading rules from directory /etc/polkit-1/rules.d
May 19 14:11:59 localhost polkitd[667]: Loading rules from directory /usr/share/polkit-1/rules.d
May 19 14:11:59 localhost polkitd[667]: Finished loading, compiling and executing 2 rules
May 19 14:11:59 localhost polkitd[667]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
May 19 14:12:07 localhost sshd[920]: Server listening on 0.0.0.0 port 4444.
May 19 14:12:07 localhost sshd[920]: Server listening on :: port 4444.
May 19 14:12:46 localhost login: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
May 19 14:12:46 localhost login: ROOT LOGIN ON tty1

If you have a min, can you provide some guidance on what to follow up on regarding rules in /etc/polkit-1/rules.d and /usr/share/polkit-1/rules.d.
Thank you for reading this.

Doug G · 05-19-2016, 11:16 PM

To tell selinux (centos7, fedora) about the alternate port, I use a command like

Quote:

semanage port -a -t ssh_port_t -p tcp 4444

Sum1 · 05-20-2016, 06:32 AM

Hi Doug, I tried that command and shell reported -

Code:

-bash: semanage: command not found

I've since googled and found how to get semanage on centos7.
If I decide to implement selinux, I'll give it another try.

Thanks for your help.